Almost nine out of ten (86 per cent) retailers have never performed an inventory to clarify where data is stored and how it is managed, says a survey by Deloitte.

Such an inventory is the first step in complying with the Data Protection Act and the Payment Card Industry Data Security Standard.

Companies are holding more information on consumers, according to Deloitte consumer business partner Andy Morris.

"Retail companies are holding greater and greater amounts of customer data – from purchasing patterns recorded on customer loyalty cards, to financial information from credit cards," he said.

"Whilst this helps sales and marketing and can deliver valuable market and customer intelligence, it may also increase vulnerability to data theft."

Despite the lack of action, 73 per cent of firms said unauthorised access to personal information was the top concern from a privacy and reputational perspective.

But only 20 per cent have a formally defined information security strategy – the first step towards securing customer information.